For the cloud to thrive, security must be better

Enterprises look at this new concept of cloud computing and compare it too closely to how old school IT should be managed. It has got to improve says Engine Yard's Tom Mornini.
Written by Tom Mornini, Engine Yard, Contributor on
Commentary -The growing success of cloud computing is driving every organization in every industry to understand how the cloud affects their business. Cloud, as a topic of discussion, has moved beyond developers and IT organizations and into the boardroom of the world’s most prestigious companies such as NASA, Eli Lilly, and 3M – all of which are leveraging the cloud in some way. While debate rages about the benefits that cloud computing delivers, few topics at present are debated as hotly as cloud security.

Security is one of the most talked-about concerns in computing, but it is mostly due to confusion about how cloud security works and how companies should go about managing it. In many instances, enterprises look at this new concept and compare it too closely to how old school IT should be managed.

Today, enterprises are demanding that cloud providers continue to innovate on behalf of the industry and use, adopt, and even develop standards to drive performance, scalability and user satisfaction while exceeding the highest levels of security according to traditional on-premise IT. It has become very clear that while many enterprise IT folks appreciate the cloud, security has become a lynch pin of sorts by those who are resistant to the concept. For this reason, I believe that cloud security must be superior to traditional computing security before it will be fully accepted, as the risks are too high for enterprises to bear.

Here are some factors to keep in mind when deciding whether or not cloud security is good enough for your enterprise:

Reasonable security standards
A large number of data breaches occur because of issues with internal security and protocols. Security concerns are the number one roadblock to enterprise adoption of cloud computing, yet most security breaches occur on-premise. Whether it’s a code glitch, unencrypted network traffic within a secure data center, a disgruntled employee, or a thief on your payroll, enterprise data may well be more secure in the cloud.

The case for public cloud
While it may sound counter-intuitive, I firmly believe that applications deployed to public clouds will prove to be more secure than those deployed on private clouds. Why? Because the on- premise approach to security is the modern day equivalent of the Maginot Line: Data security can only be guaranteed if the data is entirely secured from attacks from all directions. Putting data in a building secured by a guard in front of a large steel door is not the answer to today's security problems!

Physical security is important, but it is short-sighted to believe that vendors and outside companies cannot physically secure your data as comprehensively as your own organization. Since when is managing data centers, servers and switches a unique skill?

How cloud security is different
Applications built and deployed on public clouds are not secured by traditional methods, but instead will rely on methods that are appropriate to modern concerns. Public cloud security should ensure that the people who understand and know about the data aren't the people who secure it digitally, and also aren't the people who handle the physical infrastructure.

Imagine trying to physically take data from a public cloud provider:

Step 1) Break into the well secured data center
Step 2) Behold hundreds of racks of identical servers
Step 3) Attempt to locate servers storing desired info
Step 4) Realize there are no labels and no physical proximity to aid in locating these servers
Step 5) Unrack or gain root access
Step 6) Say hello to the IaaS vendors’ security detail and local law enforcement

When you take a close look, it’s clearly not practical. :-)

The importance of security professionals
Security professionals are some of the most important hires enterprises make. Unfortunately, security does not show up on the bottom line. If I were running a media company, my highest goals are not likely to include building a crack IT security team. In fact, I’d want such a team about as much as I’d want a team of electrical engineers on the payroll to run the power plant behind the building!

IaaS providers have incentive to build highly specialized teams that know how to secure data. All of these organizations have vast security expertise specialized within their functional domain. Moving to the cloud can benefit and augment an enterprise’s security capabilities by allowing teams that are larger, and more specialized, to focus on securing enterprise applications. These external teams can handle the day-to-day tasks of securing the bits by monitoring vulnerabilities in stack components and patching them, data backup, OS hardening, etc. This will free internal security experts at enterprises to manage security of the application itself.

Two questions executives aren’t asking
I believe that the two most important questions are not getting asked at all:

  • Are all stack components open source projects that are fully transparent and scrutinized by huge numbers of third party technologists?
  • How is encryption being used to increase security?

Public cloud security addresses top threats like malicious insiders, unencrypted packet hijacking, and shared technology vulnerabilities. Executives who appreciate the benefits of cloud computing concepts in general need to understand all of the advantages before deciding that they’d be better served by building a cloud behind their own Maginot line.

The bottom line is this: “We’ve always done it this way...” is NOT the way forward.

Tom Mornini co-founded Engine Yard to provide the infrastructure and support necessary to fuel development of Ruby on Rails applications. He has spent nearly 30 years as a software programmer and software architect with experience encompassing nearly every major development platform in that time and 20 years leading companies as a serial entrepreneur.

Editorial standards